Re: Discussion on security

by

Holger Brunn

- 02/15/2016 09:13:06

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> So the only solution I found to /securely/ have different UI for
> admin and user is 1-st defining an empy view and later inherting it
> by admin and user.
Anything you do with views, action/menu restrictions etc. is never
secure, that's only eye candy. Users will be able to query whatever
they want via XMLRPC, JSON, imports, you name it.
Really effective restrictions on field level are only possible with
setting a group on the field:
https://github.com/OCA/OCB/blob/8.0/openerp/fields.py#L152 - but this
makes the field entirely inaccessible for people who are not a member
of the group(s) mentioned, possibly not what you want.
For proper field level access restrictions, I posted a proposal
recently, feel free to try this if you're interested:
https://github.com/OCA/server-tools/issues/332
If you still want to go only for the eye candy, you can actually use
groups_id on views, but not the way you outline above:
- - create a view with full access: v1
- - create a group all people with limited access are a member of: g1
- - create a view inheriting from v1 that sets the fields you want
readonly as readonly, or removes elements entirely, and set
groups_id=g1 there, arch should look similar to:
false
1
[repeat]
- --
Therp - Maatwerk in open ontwikkeling
Holger Brunn - Ontwerp en implementatie
mail: holger@therp.nl
web: http://therp.nl
phone: +31 (0)20 3093096
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EAREIAAYFAlbB3PIACgkQAcl2D+yjrhjbewD/ae2MR8o3rxAN/D9E6iz+NHzC
1slV3UhMXDtJXJjFKIwBAI9RPLu6Ob77bAm6+xbCrKvqNbpGSIgbLUaUXdpSt4R4
=2fJY
-----END PGP SIGNATURE-----